SonicWall HA Deployments and Licensing Explained

A technical guide on HA deployments and licensing written by our Senior Network Security Engineer.

 

High Availability

SonicWall has three kinds of High Availability detailed below.

SonicWall High Availability is available on all SonicWall UTM Appliances apart from the Soho and all Wireless units.

Only the Primary SonicWall needs to be configured (in some cases you may need to log in to the Backup appliance and turn off the PortShielding feature).

The Primary SonicWall is the only appliance that needs to have the Security Services licensed.

When the appliances have been registered correctly in the same MySonicWall account they will share the licenses across both appliances.

All settings and licensing are synchronised across both Appliances.

 

Stateless (Active/Passive)

Stateless High Availability is the most basic kind of HA. When the Active SonicWall appliance fails, the Idle appliance becomes the Active appliance, dropping all active connections and then renegotiating the connections.

 

Stateful (Active/Passive)

With Stateful High Availability, when the Active SonicWall appliance fails, the Idle appliance becomes the Active appliance caching most of the active connections without the need to renegotiate the connections due to the use of the Virtual MAC feature.

 

Below is a list of all the connection types that with be synchronised as the Active appliance fails to the Idle unit when it becomes active.

 

 

Active/Active DPI (Active/Passive + Active/Active for DPI Services) *

Active / Active DPI works in the same as Stateful HA but with the extra ability to share the Deep Packet Inspection traffic across both appliances. The firewall, NAT, and other modules are processed on the active firewall

The default settings are as below based on Traffic or CPU load of the Primary Appliance, however this can be manually set under the Internal Settings page to change the threshold or to force all the DPI traffic to be offloaded to the Idle Appliance.

 

Active/Active DPI Default Settings

 

SonicWall Appliance Model and Licensing

 

Model

Stateful HA

A/A DPI

Clustering

TZ 300/350

N/A

N/A

N/A

TZ 400

N/A

N/A

N/A

TZ 500

Expanded License

Stateful HA Upgrade License

N/A

N/A

TZ 600

Expanded License

Stateful HA Upgrade License

N/A

N/A

NSA 2400

NSA 2600

NSa 2650

Expanded license 01-SSC-7090

HA license 01-SSC-7095

N/A

N/A

NSA 3500

NSA 3600

NSa 3650

Expanded license 01-SSC-7091

HA license 01-SSC-7094

N/A

Expanded

From 6.2.9 Firmware

01-SSC-7091

NSA 4500

NSA 4600

NSa 4650

Included

N/A

Expanded

From 6.2.9 Firmware

01-SSC-4037

NSA E5500

NSA 5600

NSa 5650

Included

Expanded

01-SSC-4480

Expanded

01-SSC-4480

NSA E6500

NSA 6600

NSa 6650

Included

Expanded

01-SSC-4481

Expanded

01-SSC-4481

SM 9200 / NSa 9250

Included

Included

Included

SM 9400 / NSa 9450

Included

Included

Included

SM 9600 / NSa 9650

Included

Included

Included

 

 

Capture ATP is not supported for A/A DPI deployments

 

 

For High Availability Configurations guides see links below.

 

Tips for High Availability (HA) setup

How to Replace a Primary or Secondary High Availability (HA) unit

Associating an Appliance at First Registration on MySonicWall for High Availability

 

* Not to be confused with Active/Active Clustering where in some scenarios both or more appliances have to be fully licensed.

 

SonicWall HA Clustering

  • In HA Clustering both firewalls ('Cluster Nodes') are processing traffic. There are several deployment methods and caveats as stated below.
  • A 'Cluster Node' can be either a single Appliance or Two Appliances in Stateful HA or Active/Active DPI.
  • There can be a Maximum of up to 4 Cluster Nodes (8 Appliances in total)
  • You would choose this method for extra redundancy and throughput.
  • This method requires the use of additional network devices for load balancing using VRRP.
  • For the Full Mesh option utilising the redundant ports, it is recommended to use different colour cables to avoid confusion.

 

Licensing Cluster Scenarios

  • The licensing is dependent on the configuration e.g. in a deployment of Active/Active two unit cluster as shown in the image below, both appliances need to be fully licensed **.
  • In an Active/Passive HA Four Unit Cluster where each Node Cluster comprises of a Primary and Backup appliance, just the Primary Appliances need to be fully licensed **.
  • In an Active/Active DPI HA Four Unit Cluster where each Node Cluster comprises of a Primary and Backup appliance, just the Primary Appliances need to be fully licensed **.

 

** from Firmware version 6.2.9 firmware the NSA 3600 and 4600 are supported for Active/Active Clustering, The NSA5600 and NSa5650 require the Expanded license for the Active/Active DPI and Clustering options.

 

 

Active/Active Two Unit Cluster

The most basic deployment is the Active/Active two‐unit cluster as shown below, where both appliances are fully licensed and processing traffic.

 

The configuration is managed on the Master Cluster Node (Cluster Node 1). If this fails then all traffic will be processed on the Cluster Node 2. This method involves no Backup appliances in the individual Cluster Nodes so is therefore  the Active/Active failover is Stateless so all network connections will be reset and VPN tunnels will be renegotiated.

 

Active/Active Two Unit cluster

 

 

 

Active/Active DPI HA Four Unit Cluster

For larger deployments, the cluster can include up to eight firewalls configured as four Cluster Nodes (or HA pairs). Within each Cluster Node, Stateful HA keeps the dynamic state synchronized for seamless failover with zero loss of data or a single point of failure. Stateful HA is not required, but is highly recommended for best performance during failover.Active/Active DPI HA Four Unit Cluster

 

Active/Active DPI HA Four Unit Clustering

 

 

Feature Caveats

When Active/Active Clustering is enabled, only static IP addresses can be used on the WAN.

 

The following features are not supported when Active/Active Clustering is enabled:

  • DHCP Server
  • L3 Transparent Mode
  • L2 Bridging / L2 Transparent Mode
  • Dynamic DNS
  • Wire Mode

 

The following features are only supported on Virtual Group 1:

  • SonicWall GVC
  • SonicOS SSL VPN
  • IP Helper

 

For more information on SonicWall Clustering see here:

http://help.sonicwall.com/help/sw/por/6950/26/2/4/content/HA_AAClusteringConfig.htm

 

 

 

Copyright NetThreat Ltd

Attachment: SonicWall_HA_Deployments_Explained.pdf